Dear All,

I need to calculate time difference for 2 time stamps as below:

Query:
source="E:\Data Upload to Splunk\CSL_KM_Reports\EMAIL\test.csv" host="DE2VS567" index="csl_km" sourcetype="csv" date_month="october" | eval field=split(Subject,"DEOLYCLO02") | rename field as "EmailRecTime" ,date_month as Month | eval earliesttime=strptime(EmailRecTime,"%d/%m/%Y %H:%M:%S")| eval latesttime=strptime(Date,"%d/%m/%Y %H:%M:%S") | eval diff = tostring(earliesttime-latesttime,"duration")| eval diff1 = round(diff/60/60/24) | eval duration2=replace(diff,"(\d*)+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") | eval status_code=case(diff>="00:02:00.000000", "NOTMET" ,diff<="00:02:00.000000", "MET") | table ClusterName,Month,EmailRecTime,Date,latesttime,earliesttime,diff,duration2,status_code

My first column has earliest time to be less that latestime and Diff output is blank.Please help on this.